1184 lines
44 KiB
Java
1184 lines
44 KiB
Java
/*
|
|
* Copyright (c) 2017, Oracle and/or its affiliates. All rights reserved.
|
|
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
|
*
|
|
* This code is free software; you can redistribute it and/or modify it
|
|
* under the terms of the GNU General Public License version 2 only, as
|
|
* published by the Free Software Foundation.
|
|
*
|
|
* This code is distributed in the hope that it will be useful, but WITHOUT
|
|
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
|
|
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
|
* version 2 for more details (a copy is included in the LICENSE file that
|
|
* accompanied this code).
|
|
*
|
|
* You should have received a copy of the GNU General Public License version
|
|
* 2 along with this work; if not, write to the Free Software Foundation,
|
|
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
|
|
*
|
|
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
|
|
* or visit www.oracle.com if you need additional information or have any
|
|
* questions.
|
|
*/
|
|
|
|
/*
|
|
* @test
|
|
* @summary This test is used to verify the compatibility on jarsigner cross
|
|
* different JDK releases. It also can be used to check jar signing (w/
|
|
* and w/o TSA) and verifying on some specific key algorithms and digest
|
|
* algorithms.
|
|
* Note that, this is a manual test. For more details about the test and
|
|
* its usages, please look through README.
|
|
*
|
|
* @modules java.base/sun.security.pkcs
|
|
* java.base/sun.security.timestamp
|
|
* java.base/sun.security.tools.keytool
|
|
* java.base/sun.security.util
|
|
* java.base/sun.security.x509
|
|
* @library /test/lib /lib/testlibrary ../warnings
|
|
* @compile -source 1.6 -target 1.6 JdkUtils.java
|
|
* @run main/manual/othervm Compatibility
|
|
*/
|
|
|
|
import java.io.BufferedReader;
|
|
import java.io.File;
|
|
import java.io.FileReader;
|
|
import java.io.FileWriter;
|
|
import java.io.IOException;
|
|
import java.io.PrintStream;
|
|
import java.text.DateFormat;
|
|
import java.text.SimpleDateFormat;
|
|
import java.util.ArrayList;
|
|
import java.util.Calendar;
|
|
import java.util.Date;
|
|
import java.util.HashMap;
|
|
import java.util.HashSet;
|
|
import java.util.List;
|
|
import java.util.Map;
|
|
import java.util.Set;
|
|
import java.util.concurrent.TimeUnit;
|
|
import java.util.regex.Matcher;
|
|
import java.util.regex.Pattern;
|
|
|
|
import jdk.test.lib.process.OutputAnalyzer;
|
|
import jdk.test.lib.process.ProcessTools;
|
|
import jdk.test.lib.util.JarUtils;
|
|
|
|
public class Compatibility {
|
|
|
|
private static final String TEST_JAR_NAME = "test.jar";
|
|
|
|
private static final String TEST_SRC = System.getProperty("test.src");
|
|
private static final String TEST_CLASSES = System.getProperty("test.classes");
|
|
private static final String TEST_JDK = System.getProperty("test.jdk");
|
|
private static final String TEST_JARSIGNER = jarsignerPath(TEST_JDK);
|
|
|
|
private static final String PROXY_HOST = System.getProperty("proxyHost");
|
|
private static final String PROXY_PORT = System.getProperty("proxyPort", "80");
|
|
|
|
// An alternative security properties file.
|
|
// The test provides a default one, which only contains two lines:
|
|
// jdk.certpath.disabledAlgorithms=MD2, MD5
|
|
// jdk.jar.disabledAlgorithms=MD2, MD5
|
|
private static final String JAVA_SECURITY = System.getProperty(
|
|
"javaSecurityFile", TEST_SRC + "/java.security");
|
|
|
|
private static final String PASSWORD = "testpass";
|
|
private static final String KEYSTORE = "testKeystore";
|
|
|
|
private static final String RSA = "RSA";
|
|
private static final String DSA = "DSA";
|
|
private static final String EC = "EC";
|
|
private static final String[] KEY_ALGORITHMS = new String[] {
|
|
RSA,
|
|
DSA,
|
|
EC};
|
|
|
|
private static final String SHA1 = "SHA-1";
|
|
private static final String SHA256 = "SHA-256";
|
|
private static final String SHA512 = "SHA-512";
|
|
private static final String DEFAULT = "DEFAULT";
|
|
private static final String[] DIGEST_ALGORITHMS = new String[] {
|
|
SHA1,
|
|
SHA256,
|
|
SHA512,
|
|
DEFAULT};
|
|
|
|
private static final boolean[] EXPIRED = new boolean[] {
|
|
false,
|
|
true};
|
|
|
|
private static final Calendar CALENDAR = Calendar.getInstance();
|
|
private static final DateFormat DATE_FORMAT
|
|
= new SimpleDateFormat("yyyy/MM/dd HH:mm:ss");
|
|
|
|
// The certificate validity period in minutes. The default value is 1440
|
|
// minutes, namely 1 day.
|
|
private static final int CERT_VALIDITY
|
|
= Integer.valueOf(System.getProperty("certValidity", "1440"));
|
|
static {
|
|
if (CERT_VALIDITY < 1 || CERT_VALIDITY > 1440) {
|
|
throw new RuntimeException(
|
|
"certValidity if out of range [1, 1440]: " + CERT_VALIDITY);
|
|
}
|
|
}
|
|
|
|
// If true, an additional verifying will be triggered after all of
|
|
// valid certificates expire. The default value is false.
|
|
public static final boolean DELAY_VERIFY
|
|
= Boolean.valueOf(System.getProperty("delayVerify", "false"));
|
|
|
|
private static long lastCertStartTime;
|
|
|
|
private static DetailsOutputStream detailsOutput;
|
|
|
|
public static void main(String[] args) throws Throwable {
|
|
// Backups stdout and stderr.
|
|
PrintStream origStdOut = System.out;
|
|
PrintStream origStdErr = System.err;
|
|
|
|
detailsOutput = new DetailsOutputStream();
|
|
|
|
// Redirects the system output to a custom one.
|
|
PrintStream printStream = new PrintStream(detailsOutput);
|
|
System.setOut(printStream);
|
|
System.setErr(printStream);
|
|
|
|
List<TsaInfo> tsaList = tsaInfoList();
|
|
if (tsaList.size() == 0) {
|
|
throw new RuntimeException("TSA service is mandatory.");
|
|
}
|
|
|
|
List<JdkInfo> jdkInfoList = jdkInfoList();
|
|
List<CertInfo> certList = createCertificates(jdkInfoList);
|
|
createJar();
|
|
List<SignItem> signItems = test(jdkInfoList, tsaList, certList);
|
|
|
|
boolean failed = generateReport(tsaList, signItems);
|
|
|
|
// Restores the original stdout and stderr.
|
|
System.setOut(origStdOut);
|
|
System.setErr(origStdErr);
|
|
|
|
if (failed) {
|
|
throw new RuntimeException("At least one test case failed. "
|
|
+ "Please check the failed row(s) in report.html "
|
|
+ "or failedReport.html.");
|
|
}
|
|
}
|
|
|
|
// Creates a jar file that contains an empty file.
|
|
private static void createJar() throws IOException {
|
|
String testFile = "test";
|
|
new File(testFile).createNewFile();
|
|
JarUtils.createJar(TEST_JAR_NAME, testFile);
|
|
}
|
|
|
|
// Creates a key store that includes a set of valid/expired certificates
|
|
// with various algorithms.
|
|
private static List<CertInfo> createCertificates(List<JdkInfo> jdkInfoList)
|
|
throws Throwable {
|
|
List<CertInfo> certList = new ArrayList<CertInfo>();
|
|
Set<String> expiredCertFilter = new HashSet<String>();
|
|
|
|
for(JdkInfo jdkInfo : jdkInfoList) {
|
|
for(String keyAlgorithm : KEY_ALGORITHMS) {
|
|
for(String digestAlgorithm : DIGEST_ALGORITHMS) {
|
|
for(int keySize : keySizes(keyAlgorithm)) {
|
|
for(boolean expired : EXPIRED) {
|
|
// It creates only one expired certificate for one
|
|
// key algorithm.
|
|
if (expired
|
|
&& !expiredCertFilter.add(keyAlgorithm)) {
|
|
continue;
|
|
}
|
|
|
|
CertInfo certInfo = new CertInfo(
|
|
jdkInfo.version,
|
|
keyAlgorithm,
|
|
digestAlgorithm,
|
|
keySize,
|
|
expired);
|
|
if (!certList.contains(certInfo)) {
|
|
String alias = createCertificate(
|
|
jdkInfo.jdkPath, certInfo);
|
|
if (alias != null) {
|
|
certList.add(certInfo);
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
return certList;
|
|
}
|
|
|
|
// Creates/Updates a key store that adds a certificate with specific algorithm.
|
|
private static String createCertificate(String jdkPath, CertInfo certInfo)
|
|
throws Throwable {
|
|
String alias = certInfo.alias();
|
|
|
|
List<String> arguments = new ArrayList<String>();
|
|
arguments.add("-J-Djava.security.properties=" + JAVA_SECURITY);
|
|
arguments.add("-v");
|
|
arguments.add("-storetype");
|
|
arguments.add("jks");
|
|
arguments.add("-genkey");
|
|
arguments.add("-keyalg");
|
|
arguments.add(certInfo.keyAlgorithm);
|
|
String sigalg = sigalg(certInfo.digestAlgorithm, certInfo.keyAlgorithm);
|
|
if (sigalg != null) {
|
|
arguments.add("-sigalg");
|
|
arguments.add(sigalg);
|
|
}
|
|
if (certInfo.keySize != 0) {
|
|
arguments.add("-keysize");
|
|
arguments.add(certInfo.keySize + "");
|
|
}
|
|
arguments.add("-dname");
|
|
arguments.add("CN=Test");
|
|
arguments.add("-alias");
|
|
arguments.add(alias);
|
|
arguments.add("-keypass");
|
|
arguments.add(PASSWORD);
|
|
arguments.add("-storepass");
|
|
arguments.add(PASSWORD);
|
|
|
|
arguments.add("-startdate");
|
|
arguments.add(startDate(certInfo.expired));
|
|
arguments.add("-validity");
|
|
arguments.add("1");
|
|
arguments.add("-keystore");
|
|
arguments.add(KEYSTORE);
|
|
|
|
OutputAnalyzer outputAnalyzer = execTool(
|
|
jdkPath + "/bin/keytool",
|
|
arguments.toArray(new String[arguments.size()]));
|
|
if (outputAnalyzer.getExitValue() == 0
|
|
&& !outputAnalyzer.getOutput().matches("[Ee]xception")) {
|
|
return alias;
|
|
} else {
|
|
return null;
|
|
}
|
|
}
|
|
|
|
private static String sigalg(String digestAlgorithm, String keyAlgorithm) {
|
|
if (digestAlgorithm == DEFAULT) {
|
|
return null;
|
|
}
|
|
|
|
String keyName = keyAlgorithm == EC ? "ECDSA" : keyAlgorithm;
|
|
return digestAlgorithm.replace("-", "") + "with" + keyName;
|
|
}
|
|
|
|
// The validity period of a certificate always be 1 day. For creating an
|
|
// expired certificate, the start date is the time before 1 day, then the
|
|
// certificate expires immediately. And for creating a valid certificate,
|
|
// the start date is the time before (1 day - CERT_VALIDITY minutes), then
|
|
// the certificate will expires in CERT_VALIDITY minutes.
|
|
private static String startDate(boolean expiredCert) {
|
|
CALENDAR.setTime(new Date());
|
|
CALENDAR.add(Calendar.DAY_OF_MONTH, -1);
|
|
if (!expiredCert) {
|
|
CALENDAR.add(Calendar.MINUTE, CERT_VALIDITY);
|
|
}
|
|
Date startDate = CALENDAR.getTime();
|
|
lastCertStartTime = startDate.getTime();
|
|
return DATE_FORMAT.format(startDate);
|
|
}
|
|
|
|
// Retrieves JDK info from the file which is specified by property jdkListFile,
|
|
// or from property jdkList if jdkListFile is not available.
|
|
private static List<JdkInfo> jdkInfoList() throws Throwable {
|
|
String[] jdkList = list("jdkList");
|
|
if (jdkList.length == 0) {
|
|
jdkList = new String[] { TEST_JDK };
|
|
}
|
|
|
|
List<JdkInfo> jdkInfoList = new ArrayList<JdkInfo>();
|
|
for (String jdkPath : jdkList) {
|
|
JdkInfo jdkInfo = new JdkInfo(jdkPath);
|
|
// The JDK version must be unique.
|
|
if (!jdkInfoList.contains(jdkInfo)) {
|
|
jdkInfoList.add(jdkInfo);
|
|
} else {
|
|
System.out.println("The JDK version is duplicate: " + jdkPath);
|
|
}
|
|
}
|
|
return jdkInfoList;
|
|
}
|
|
|
|
// Retrieves TSA info from the file which is specified by property tsaListFile,
|
|
// or from property tsaList if tsaListFile is not available.
|
|
private static List<TsaInfo> tsaInfoList() throws IOException {
|
|
String[] tsaList = list("tsaList");
|
|
|
|
List<TsaInfo> tsaInfoList = new ArrayList<TsaInfo>();
|
|
for (int i = 0; i < tsaList.length; i++) {
|
|
String[] values = tsaList[i].split(";digests=");
|
|
|
|
String[] digests = new String[0];
|
|
if (values.length == 2) {
|
|
digests = values[1].split(",");
|
|
}
|
|
|
|
TsaInfo bufTsa = new TsaInfo(i, values[0]);
|
|
|
|
for (String digest : digests) {
|
|
bufTsa.addDigest(digest);
|
|
}
|
|
|
|
tsaInfoList.add(bufTsa);
|
|
}
|
|
|
|
return tsaInfoList;
|
|
}
|
|
|
|
private static String[] list(String listProp)
|
|
throws IOException {
|
|
String listFileProp = listProp + "File";
|
|
String listFile = System.getProperty(listFileProp);
|
|
if (!isEmpty(listFile)) {
|
|
System.out.println(listFileProp + "=" + listFile);
|
|
List<String> list = new ArrayList<String>();
|
|
BufferedReader reader = new BufferedReader(
|
|
new FileReader(listFile));
|
|
String line;
|
|
while ((line = reader.readLine()) != null) {
|
|
String item = line.trim();
|
|
if (!item.isEmpty()) {
|
|
list.add(item);
|
|
}
|
|
}
|
|
reader.close();
|
|
return list.toArray(new String[list.size()]);
|
|
}
|
|
|
|
String list = System.getProperty(listProp);
|
|
System.out.println(listProp + "=" + list);
|
|
return !isEmpty(list) ? list.split("#") : new String[0];
|
|
}
|
|
|
|
private static boolean isEmpty(String str) {
|
|
return str == null || str.isEmpty();
|
|
}
|
|
|
|
// A JDK (signer) signs a jar with a variety of algorithms, and then all of
|
|
// JDKs (verifiers), including the signer itself, try to verify the signed
|
|
// jars respectively.
|
|
private static List<SignItem> test(List<JdkInfo> jdkInfoList,
|
|
List<TsaInfo> tsaInfoList, List<CertInfo> certList)
|
|
throws Throwable {
|
|
detailsOutput.transferPhase();
|
|
List<SignItem> signItems = signing(jdkInfoList, tsaInfoList, certList);
|
|
|
|
detailsOutput.transferPhase();
|
|
for (SignItem signItem : signItems) {
|
|
for (JdkInfo verifierInfo : jdkInfoList) {
|
|
// JDK 6 doesn't support EC
|
|
if (!verifierInfo.isJdk6()
|
|
|| signItem.certInfo.keyAlgorithm != EC) {
|
|
verifying(signItem, VerifyItem.build(verifierInfo));
|
|
}
|
|
}
|
|
}
|
|
|
|
if (DELAY_VERIFY) {
|
|
detailsOutput.transferPhase();
|
|
System.out.print("Waiting for delay verifying");
|
|
long lastCertExpirationTime = lastCertStartTime + 24 * 60 * 60 * 1000;
|
|
while (System.currentTimeMillis() < lastCertExpirationTime) {
|
|
TimeUnit.SECONDS.sleep(30);
|
|
System.out.print(".");
|
|
}
|
|
System.out.println();
|
|
|
|
System.out.println("Delay verifying starts");
|
|
for (SignItem signItem : signItems) {
|
|
for (VerifyItem verifyItem : signItem.verifyItems) {
|
|
verifying(signItem, verifyItem);
|
|
}
|
|
}
|
|
}
|
|
|
|
detailsOutput.transferPhase();
|
|
|
|
return signItems;
|
|
}
|
|
|
|
private static List<SignItem> signing(List<JdkInfo> jdkInfos,
|
|
List<TsaInfo> tsaList, List<CertInfo> certList) throws Throwable {
|
|
List<SignItem> signItems = new ArrayList<SignItem>();
|
|
|
|
Set<String> signFilter = new HashSet<String>();
|
|
|
|
for (JdkInfo signerInfo : jdkInfos) {
|
|
for (String keyAlgorithm : KEY_ALGORITHMS) {
|
|
// JDK 6 doesn't support EC
|
|
if (signerInfo.isJdk6() && keyAlgorithm == EC) {
|
|
continue;
|
|
}
|
|
|
|
for (String digestAlgorithm : DIGEST_ALGORITHMS) {
|
|
String sigalg = sigalg(digestAlgorithm, keyAlgorithm);
|
|
// If the signature algorithm is not supported by the JDK,
|
|
// it cannot try to sign jar with this algorithm.
|
|
if (sigalg != null && !signerInfo.isSupportedSigalg(sigalg)) {
|
|
continue;
|
|
}
|
|
|
|
// If the JDK doesn't support option -tsadigestalg, the
|
|
// associated cases just be ignored.
|
|
if (digestAlgorithm != DEFAULT
|
|
&& !signerInfo.supportsTsadigestalg) {
|
|
continue;
|
|
}
|
|
|
|
for (int keySize : keySizes(keyAlgorithm)) {
|
|
for (boolean expired : EXPIRED) {
|
|
CertInfo certInfo = new CertInfo(
|
|
signerInfo.version,
|
|
keyAlgorithm,
|
|
digestAlgorithm,
|
|
keySize,
|
|
expired);
|
|
if (!certList.contains(certInfo)) {
|
|
continue;
|
|
}
|
|
|
|
String tsadigestalg = digestAlgorithm != DEFAULT
|
|
? digestAlgorithm
|
|
: null;
|
|
|
|
for (TsaInfo tsaInfo : tsaList) {
|
|
// It has to ignore the digest algorithm, which
|
|
// is not supported by the TSA server.
|
|
if(!tsaInfo.isDigestSupported(tsadigestalg)) {
|
|
continue;
|
|
}
|
|
|
|
String tsaUrl = tsaInfo.tsaUrl;
|
|
if (TsaFilter.filter(
|
|
signerInfo.version,
|
|
digestAlgorithm,
|
|
expired,
|
|
tsaInfo.index)) {
|
|
tsaUrl = null;
|
|
}
|
|
|
|
String signedJar = "JDK_"
|
|
+ signerInfo.version + "-CERT_"
|
|
+ certInfo
|
|
+ (tsaUrl == null
|
|
? ""
|
|
: "-TSA_" + tsaInfo.index);
|
|
|
|
// It has to ignore the same jar signing.
|
|
if (!signFilter.add(signedJar)) {
|
|
continue;
|
|
}
|
|
|
|
SignItem signItem = SignItem.build()
|
|
.certInfo(certInfo)
|
|
.version(signerInfo.version)
|
|
.signatureAlgorithm(sigalg)
|
|
.tsaDigestAlgorithm(
|
|
tsaUrl == null
|
|
? null
|
|
: tsadigestalg)
|
|
.tsaIndex(
|
|
tsaUrl == null
|
|
? -1
|
|
: tsaInfo.index)
|
|
.signedJar(signedJar);
|
|
String signingId = signingId(signItem);
|
|
detailsOutput.writeAnchorName(signingId,
|
|
"Signing: " + signingId);
|
|
|
|
OutputAnalyzer signOA = signJar(
|
|
signerInfo.jarsignerPath,
|
|
sigalg,
|
|
tsadigestalg,
|
|
tsaUrl,
|
|
certInfo.alias(),
|
|
signedJar);
|
|
Status signingStatus = signingStatus(signOA);
|
|
signItem.status(signingStatus);
|
|
|
|
if (signingStatus != Status.ERROR) {
|
|
// Using the testing JDK, which is specified
|
|
// by jtreg option "-jdk", to verify the
|
|
// signed jar and extract the signature
|
|
// algorithm and timestamp digest algorithm.
|
|
String output = verifyJar(TEST_JARSIGNER,
|
|
signedJar).getOutput();
|
|
signItem.extractedSignatureAlgorithm(
|
|
extract(output,
|
|
" *Signature algorithm.*",
|
|
".*: |,.*"));
|
|
signItem.extractedTsaDigestAlgorithm(
|
|
extract(output,
|
|
" *Timestamp digest algorithm.*",
|
|
".*: "));
|
|
}
|
|
|
|
signItems.add(signItem);
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
return signItems;
|
|
}
|
|
|
|
private static void verifying(SignItem signItem, VerifyItem verifyItem)
|
|
throws Throwable {
|
|
boolean delayVerify = verifyItem.status == Status.NONE;
|
|
String verifyingId = verifyingId(signItem, verifyItem, !delayVerify);
|
|
detailsOutput.writeAnchorName(verifyingId, "Verifying: " + verifyingId);
|
|
|
|
OutputAnalyzer verifyOA = verifyJar(verifyItem.jdkInfo.jarsignerPath,
|
|
signItem.signedJar);
|
|
Status verifyingStatus = verifyingStatus(verifyOA);
|
|
|
|
// It checks if the default timestamp digest algorithm is SHA-256.
|
|
if (verifyingStatus != Status.ERROR
|
|
&& signItem.tsaDigestAlgorithm == null) {
|
|
verifyingStatus = signItem.extractedTsaDigestAlgorithm != null
|
|
&& !signItem.extractedTsaDigestAlgorithm.matches("SHA-?256")
|
|
? Status.ERROR
|
|
: verifyingStatus;
|
|
if (verifyingStatus == Status.ERROR) {
|
|
System.out.println("The default tsa digest is not SHA-256: "
|
|
+ signItem.extractedTsaDigestAlgorithm);
|
|
}
|
|
}
|
|
|
|
if (delayVerify) {
|
|
signItem.addVerifyItem(verifyItem.status(verifyingStatus));
|
|
} else {
|
|
verifyItem.delayStatus(verifyingStatus);
|
|
}
|
|
}
|
|
|
|
// Return key sizes according to the specified key algorithm.
|
|
private static int[] keySizes(String keyAlgorithm) {
|
|
if (keyAlgorithm == RSA || keyAlgorithm == DSA) {
|
|
return new int[] { 1024, 2048, 0 };
|
|
} else if (keyAlgorithm == EC) {
|
|
return new int[] { 384, 571, 0 };
|
|
}
|
|
|
|
return null;
|
|
}
|
|
|
|
// Determines the status of signing.
|
|
private static Status signingStatus(OutputAnalyzer outputAnalyzer) {
|
|
if (outputAnalyzer.getExitValue() == 0) {
|
|
if (outputAnalyzer.getOutput().contains(Test.WARNING)) {
|
|
return Status.WARNING;
|
|
} else {
|
|
return Status.NORMAL;
|
|
}
|
|
} else {
|
|
return Status.ERROR;
|
|
}
|
|
}
|
|
|
|
// Determines the status of verifying.
|
|
private static Status verifyingStatus(OutputAnalyzer outputAnalyzer) {
|
|
if (outputAnalyzer.getExitValue() == 0) {
|
|
String output = outputAnalyzer.getOutput();
|
|
if (!output.contains(Test.JAR_VERIFIED)) {
|
|
return Status.ERROR;
|
|
} else if (output.contains(Test.WARNING)) {
|
|
return Status.WARNING;
|
|
} else {
|
|
return Status.NORMAL;
|
|
}
|
|
} else {
|
|
return Status.ERROR;
|
|
}
|
|
}
|
|
|
|
// Extracts string from text by specified patterns.
|
|
private static String extract(String text, String linePattern,
|
|
String replacePattern) {
|
|
Matcher lineMatcher = Pattern.compile(linePattern).matcher(text);
|
|
if (lineMatcher.find()) {
|
|
String line = lineMatcher.group(0);
|
|
return line.replaceAll(replacePattern, "");
|
|
} else {
|
|
return null;
|
|
}
|
|
}
|
|
|
|
// Using specified jarsigner to sign the pre-created jar with specified
|
|
// algorithms.
|
|
private static OutputAnalyzer signJar(String jarsignerPath, String sigalg,
|
|
String tsadigestalg, String tsa, String alias, String signedJar)
|
|
throws Throwable {
|
|
List<String> arguments = new ArrayList<String>();
|
|
|
|
if (PROXY_HOST != null && PROXY_PORT != null) {
|
|
arguments.add("-J-Dhttp.proxyHost=" + PROXY_HOST);
|
|
arguments.add("-J-Dhttp.proxyPort=" + PROXY_PORT);
|
|
arguments.add("-J-Dhttps.proxyHost=" + PROXY_HOST);
|
|
arguments.add("-J-Dhttps.proxyPort=" + PROXY_PORT);
|
|
}
|
|
arguments.add("-J-Djava.security.properties=" + JAVA_SECURITY);
|
|
arguments.add("-debug");
|
|
arguments.add("-verbose");
|
|
if (sigalg != null) {
|
|
arguments.add("-sigalg");
|
|
arguments.add(sigalg);
|
|
}
|
|
if (tsa != null) {
|
|
arguments.add("-tsa");
|
|
arguments.add(tsa);
|
|
}
|
|
if (tsadigestalg != null) {
|
|
arguments.add("-tsadigestalg");
|
|
arguments.add(tsadigestalg);
|
|
}
|
|
arguments.add("-keystore");
|
|
arguments.add(KEYSTORE);
|
|
arguments.add("-storepass");
|
|
arguments.add(PASSWORD);
|
|
arguments.add("-signedjar");
|
|
arguments.add(signedJar + ".jar");
|
|
arguments.add(TEST_JAR_NAME);
|
|
arguments.add(alias);
|
|
|
|
OutputAnalyzer outputAnalyzer = execTool(
|
|
jarsignerPath,
|
|
arguments.toArray(new String[arguments.size()]));
|
|
return outputAnalyzer;
|
|
}
|
|
|
|
// Using specified jarsigner to verify the signed jar.
|
|
private static OutputAnalyzer verifyJar(String jarsignerPath,
|
|
String signedJar) throws Throwable {
|
|
OutputAnalyzer outputAnalyzer = execTool(
|
|
jarsignerPath,
|
|
"-J-Djava.security.properties=" + JAVA_SECURITY,
|
|
"-debug",
|
|
"-verbose",
|
|
"-certs",
|
|
"-keystore", KEYSTORE,
|
|
"-verify", signedJar + ".jar");
|
|
return outputAnalyzer;
|
|
}
|
|
|
|
// Generates the test result report.
|
|
private static boolean generateReport(List<TsaInfo> tsaList,
|
|
List<SignItem> signItems) throws IOException {
|
|
System.out.println("Report is being generated...");
|
|
|
|
StringBuilder report = new StringBuilder();
|
|
report.append(HtmlHelper.startHtml());
|
|
report.append(HtmlHelper.startPre());
|
|
// Generates TSA URLs
|
|
report.append("TSA list:\n");
|
|
for(TsaInfo tsaInfo : tsaList) {
|
|
report.append(
|
|
String.format("%d=%s%n", tsaInfo.index, tsaInfo.tsaUrl));
|
|
}
|
|
report.append(HtmlHelper.endPre());
|
|
|
|
report.append(HtmlHelper.startTable());
|
|
// Generates report headers.
|
|
List<String> headers = new ArrayList<String>();
|
|
headers.add("[Certificate]");
|
|
headers.add("[Signer JDK]");
|
|
headers.add("[Signature Algorithm]");
|
|
headers.add("[TSA Digest]");
|
|
headers.add("[TSA]");
|
|
headers.add("[Signing Status]");
|
|
headers.add("[Verifier JDK]");
|
|
headers.add("[Verifying Status]");
|
|
if (DELAY_VERIFY) {
|
|
headers.add("[Delay Verifying Status]");
|
|
}
|
|
headers.add("[Failed]");
|
|
report.append(HtmlHelper.htmlRow(
|
|
headers.toArray(new String[headers.size()])));
|
|
|
|
StringBuilder failedReport = new StringBuilder(report.toString());
|
|
|
|
boolean failed = false;
|
|
|
|
// Generates report rows.
|
|
for (SignItem signItem : signItems) {
|
|
for (VerifyItem verifyItem : signItem.verifyItems) {
|
|
String reportRow = reportRow(signItem, verifyItem);
|
|
report.append(reportRow);
|
|
boolean isFailedCase = isFailed(signItem, verifyItem);
|
|
if (isFailedCase) {
|
|
failedReport.append(reportRow);
|
|
}
|
|
failed = failed || isFailedCase;
|
|
}
|
|
}
|
|
|
|
report.append(HtmlHelper.endTable());
|
|
report.append(HtmlHelper.endHtml());
|
|
generateFile("report.html", report.toString());
|
|
if (failed) {
|
|
failedReport.append(HtmlHelper.endTable());
|
|
failedReport.append(HtmlHelper.endPre());
|
|
failedReport.append(HtmlHelper.endHtml());
|
|
generateFile("failedReport.html", failedReport.toString());
|
|
}
|
|
|
|
System.out.println("Report is generated.");
|
|
return failed;
|
|
}
|
|
|
|
private static void generateFile(String path, String content)
|
|
throws IOException {
|
|
FileWriter writer = new FileWriter(new File(path));
|
|
writer.write(content);
|
|
writer.close();
|
|
}
|
|
|
|
private static String jarsignerPath(String jdkPath) {
|
|
return jdkPath + "/bin/jarsigner";
|
|
}
|
|
|
|
// Executes the specified function on JdkUtils by the specified JDK.
|
|
private static String execJdkUtils(String jdkPath, String method,
|
|
String... args) throws Throwable {
|
|
String[] cmd = new String[args.length + 5];
|
|
cmd[0] = jdkPath + "/bin/java";
|
|
cmd[1] = "-cp";
|
|
cmd[2] = TEST_CLASSES;
|
|
cmd[3] = JdkUtils.class.getName();
|
|
cmd[4] = method;
|
|
System.arraycopy(args, 0, cmd, 5, args.length);
|
|
return ProcessTools.executeCommand(cmd).getOutput();
|
|
}
|
|
|
|
// Executes the specified JDK tools, such as keytool and jarsigner, and
|
|
// ensures the output is in US English.
|
|
private static OutputAnalyzer execTool(String toolPath, String... args)
|
|
throws Throwable {
|
|
String[] cmd = new String[args.length + 4];
|
|
cmd[0] = toolPath;
|
|
cmd[1] = "-J-Duser.language=en";
|
|
cmd[2] = "-J-Duser.country=US";
|
|
cmd[3] = "-J-Djava.security.egd=file:/dev/./urandom";
|
|
System.arraycopy(args, 0, cmd, 4, args.length);
|
|
return ProcessTools.executeCommand(cmd);
|
|
}
|
|
|
|
private static class JdkInfo {
|
|
|
|
private final String jdkPath;
|
|
private final String jarsignerPath;
|
|
private final String version;
|
|
private final boolean supportsTsadigestalg;
|
|
|
|
private Map<String, Boolean> sigalgMap = new HashMap<String, Boolean>();
|
|
|
|
private JdkInfo(String jdkPath) throws Throwable {
|
|
this.jdkPath = jdkPath;
|
|
version = execJdkUtils(jdkPath, JdkUtils.M_JAVA_RUNTIME_VERSION);
|
|
if (version == null || version.trim().isEmpty()) {
|
|
throw new RuntimeException(
|
|
"Cannot determine the JDK version: " + jdkPath);
|
|
}
|
|
jarsignerPath = jarsignerPath(jdkPath);
|
|
supportsTsadigestalg = execTool(jarsignerPath, "-help")
|
|
.getOutput().contains("-tsadigestalg");
|
|
}
|
|
|
|
private boolean isSupportedSigalg(String sigalg) throws Throwable {
|
|
if (!sigalgMap.containsKey(sigalg)) {
|
|
boolean isSupported = "true".equalsIgnoreCase(
|
|
execJdkUtils(
|
|
jdkPath,
|
|
JdkUtils.M_IS_SUPPORTED_SIGALG,
|
|
sigalg));
|
|
sigalgMap.put(sigalg, isSupported);
|
|
}
|
|
|
|
return sigalgMap.get(sigalg);
|
|
}
|
|
|
|
private boolean isJdk6() {
|
|
return version.startsWith("1.6");
|
|
}
|
|
|
|
@Override
|
|
public int hashCode() {
|
|
final int prime = 31;
|
|
int result = 1;
|
|
result = prime * result
|
|
+ ((version == null) ? 0 : version.hashCode());
|
|
return result;
|
|
}
|
|
|
|
@Override
|
|
public boolean equals(Object obj) {
|
|
if (this == obj)
|
|
return true;
|
|
if (obj == null)
|
|
return false;
|
|
if (getClass() != obj.getClass())
|
|
return false;
|
|
JdkInfo other = (JdkInfo) obj;
|
|
if (version == null) {
|
|
if (other.version != null)
|
|
return false;
|
|
} else if (!version.equals(other.version))
|
|
return false;
|
|
return true;
|
|
}
|
|
}
|
|
|
|
private static class TsaInfo {
|
|
|
|
private final int index;
|
|
private final String tsaUrl;
|
|
private Set<String> digestList = new HashSet<String>();
|
|
|
|
private TsaInfo(int index, String tsa) {
|
|
this.index = index;
|
|
this.tsaUrl = tsa;
|
|
}
|
|
|
|
private void addDigest(String digest) {
|
|
if (!ignore(digest)) {
|
|
digestList.add(digest);
|
|
}
|
|
}
|
|
|
|
private static boolean ignore(String digest) {
|
|
return !SHA1.equalsIgnoreCase(digest)
|
|
&& !SHA256.equalsIgnoreCase(digest)
|
|
&& !SHA512.equalsIgnoreCase(digest);
|
|
}
|
|
|
|
private boolean isDigestSupported(String digest) {
|
|
return digest == null || digestList.isEmpty()
|
|
|| digestList.contains(digest);
|
|
}
|
|
}
|
|
|
|
private static class CertInfo {
|
|
|
|
private final String jdkVersion;
|
|
private final String keyAlgorithm;
|
|
private final String digestAlgorithm;
|
|
private final int keySize;
|
|
private final boolean expired;
|
|
|
|
private CertInfo(String jdkVersion, String keyAlgorithm,
|
|
String digestAlgorithm, int keySize, boolean expired) {
|
|
this.jdkVersion = jdkVersion;
|
|
this.keyAlgorithm = keyAlgorithm;
|
|
this.digestAlgorithm = digestAlgorithm;
|
|
this.keySize = keySize;
|
|
this.expired = expired;
|
|
}
|
|
|
|
@Override
|
|
public int hashCode() {
|
|
final int prime = 31;
|
|
int result = 1;
|
|
result = prime * result
|
|
+ ((digestAlgorithm == null) ? 0 : digestAlgorithm.hashCode());
|
|
result = prime * result + (expired ? 1231 : 1237);
|
|
result = prime * result
|
|
+ ((jdkVersion == null) ? 0 : jdkVersion.hashCode());
|
|
result = prime * result
|
|
+ ((keyAlgorithm == null) ? 0 : keyAlgorithm.hashCode());
|
|
result = prime * result + keySize;
|
|
return result;
|
|
}
|
|
|
|
@Override
|
|
public boolean equals(Object obj) {
|
|
if (this == obj)
|
|
return true;
|
|
if (obj == null)
|
|
return false;
|
|
if (getClass() != obj.getClass())
|
|
return false;
|
|
CertInfo other = (CertInfo) obj;
|
|
if (digestAlgorithm == null) {
|
|
if (other.digestAlgorithm != null)
|
|
return false;
|
|
} else if (!digestAlgorithm.equals(other.digestAlgorithm))
|
|
return false;
|
|
if (expired != other.expired)
|
|
return false;
|
|
if (jdkVersion == null) {
|
|
if (other.jdkVersion != null)
|
|
return false;
|
|
} else if (!jdkVersion.equals(other.jdkVersion))
|
|
return false;
|
|
if (keyAlgorithm == null) {
|
|
if (other.keyAlgorithm != null)
|
|
return false;
|
|
} else if (!keyAlgorithm.equals(other.keyAlgorithm))
|
|
return false;
|
|
if (keySize != other.keySize)
|
|
return false;
|
|
return true;
|
|
}
|
|
|
|
private String alias() {
|
|
return jdkVersion + "_" + toString();
|
|
}
|
|
|
|
@Override
|
|
public String toString() {
|
|
return keyAlgorithm + "_" + digestAlgorithm
|
|
+ (keySize == 0 ? "" : "_" + keySize)
|
|
+ (expired ? "_Expired" : "");
|
|
}
|
|
}
|
|
|
|
// It does only one timestamping for the same JDK, digest algorithm and
|
|
// TSA service with an arbitrary valid/expired certificate.
|
|
private static class TsaFilter {
|
|
|
|
private static final Set<Condition> SET = new HashSet<Condition>();
|
|
|
|
private static boolean filter(String signerVersion,
|
|
String digestAlgorithm, boolean expiredCert, int tsaIndex) {
|
|
return !SET.add(new Condition(signerVersion, digestAlgorithm,
|
|
expiredCert, tsaIndex));
|
|
}
|
|
|
|
private static class Condition {
|
|
|
|
private final String signerVersion;
|
|
private final String digestAlgorithm;
|
|
private final boolean expiredCert;
|
|
private final int tsaIndex;
|
|
|
|
private Condition(String signerVersion, String digestAlgorithm,
|
|
boolean expiredCert, int tsaIndex) {
|
|
this.signerVersion = signerVersion;
|
|
this.digestAlgorithm = digestAlgorithm;
|
|
this.expiredCert = expiredCert;
|
|
this.tsaIndex = tsaIndex;
|
|
}
|
|
|
|
@Override
|
|
public int hashCode() {
|
|
final int prime = 31;
|
|
int result = 1;
|
|
result = prime * result
|
|
+ ((digestAlgorithm == null) ? 0 : digestAlgorithm.hashCode());
|
|
result = prime * result + (expiredCert ? 1231 : 1237);
|
|
result = prime * result
|
|
+ ((signerVersion == null) ? 0 : signerVersion.hashCode());
|
|
result = prime * result + tsaIndex;
|
|
return result;
|
|
}
|
|
|
|
@Override
|
|
public boolean equals(Object obj) {
|
|
if (this == obj)
|
|
return true;
|
|
if (obj == null)
|
|
return false;
|
|
if (getClass() != obj.getClass())
|
|
return false;
|
|
Condition other = (Condition) obj;
|
|
if (digestAlgorithm == null) {
|
|
if (other.digestAlgorithm != null)
|
|
return false;
|
|
} else if (!digestAlgorithm.equals(other.digestAlgorithm))
|
|
return false;
|
|
if (expiredCert != other.expiredCert)
|
|
return false;
|
|
if (signerVersion == null) {
|
|
if (other.signerVersion != null)
|
|
return false;
|
|
} else if (!signerVersion.equals(other.signerVersion))
|
|
return false;
|
|
if (tsaIndex != other.tsaIndex)
|
|
return false;
|
|
return true;
|
|
}
|
|
}}
|
|
|
|
private static enum Status {
|
|
|
|
// No action due to pre-action fails.
|
|
NONE,
|
|
|
|
// jar is signed/verified with error
|
|
ERROR,
|
|
|
|
// jar is signed/verified with warning
|
|
WARNING,
|
|
|
|
// jar is signed/verified without any warning and error
|
|
NORMAL
|
|
}
|
|
|
|
private static class SignItem {
|
|
|
|
private CertInfo certInfo;
|
|
private String version;
|
|
private String signatureAlgorithm;
|
|
// Signature algorithm that is extracted from verification output.
|
|
private String extractedSignatureAlgorithm;
|
|
private String tsaDigestAlgorithm;
|
|
// TSA digest algorithm that is extracted from verification output.
|
|
private String extractedTsaDigestAlgorithm;
|
|
private int tsaIndex;
|
|
private Status status;
|
|
private String signedJar;
|
|
|
|
private List<VerifyItem> verifyItems = new ArrayList<VerifyItem>();
|
|
|
|
private static SignItem build() {
|
|
return new SignItem();
|
|
}
|
|
|
|
private SignItem certInfo(CertInfo certInfo) {
|
|
this.certInfo = certInfo;
|
|
return this;
|
|
}
|
|
|
|
private SignItem version(String version) {
|
|
this.version = version;
|
|
return this;
|
|
}
|
|
|
|
private SignItem signatureAlgorithm(String signatureAlgorithm) {
|
|
this.signatureAlgorithm = signatureAlgorithm;
|
|
return this;
|
|
}
|
|
|
|
private SignItem extractedSignatureAlgorithm(
|
|
String extractedSignatureAlgorithm) {
|
|
this.extractedSignatureAlgorithm = extractedSignatureAlgorithm;
|
|
return this;
|
|
}
|
|
|
|
private SignItem tsaDigestAlgorithm(String tsaDigestAlgorithm) {
|
|
this.tsaDigestAlgorithm = tsaDigestAlgorithm;
|
|
return this;
|
|
}
|
|
|
|
private SignItem extractedTsaDigestAlgorithm(
|
|
String extractedTsaDigestAlgorithm) {
|
|
this.extractedTsaDigestAlgorithm = extractedTsaDigestAlgorithm;
|
|
return this;
|
|
}
|
|
|
|
private SignItem tsaIndex(int tsaIndex) {
|
|
this.tsaIndex = tsaIndex;
|
|
return this;
|
|
}
|
|
|
|
private SignItem status(Status status) {
|
|
this.status = status;
|
|
return this;
|
|
}
|
|
|
|
private SignItem signedJar(String signedJar) {
|
|
this.signedJar = signedJar;
|
|
return this;
|
|
}
|
|
|
|
private void addVerifyItem(VerifyItem verifyItem) {
|
|
verifyItems.add(verifyItem);
|
|
}
|
|
}
|
|
|
|
private static class VerifyItem {
|
|
|
|
private JdkInfo jdkInfo;
|
|
private Status status = Status.NONE;
|
|
private Status delayStatus = Status.NONE;
|
|
|
|
private static VerifyItem build(JdkInfo jdkInfo) {
|
|
VerifyItem verifyItem = new VerifyItem();
|
|
verifyItem.jdkInfo = jdkInfo;
|
|
return verifyItem;
|
|
}
|
|
|
|
private VerifyItem status(Status status) {
|
|
this.status = status;
|
|
return this;
|
|
}
|
|
|
|
private VerifyItem delayStatus(Status status) {
|
|
this.delayStatus = status;
|
|
return this;
|
|
}
|
|
}
|
|
|
|
// The identifier for a specific signing.
|
|
private static String signingId(SignItem signItem) {
|
|
return signItem.signedJar;
|
|
}
|
|
|
|
// The identifier for a specific verifying.
|
|
private static String verifyingId(SignItem signItem, VerifyItem verifyItem,
|
|
boolean delayVerify) {
|
|
return "S_" + signingId(signItem) + "-" + (delayVerify ? "DV" : "V")
|
|
+ "_" + verifyItem.jdkInfo.version;
|
|
}
|
|
|
|
private static String reportRow(SignItem signItem, VerifyItem verifyItem) {
|
|
List<String> values = new ArrayList<String>();
|
|
values.add(signItem.certInfo.toString());
|
|
values.add(signItem.version);
|
|
values.add(null2Default(signItem.signatureAlgorithm,
|
|
signItem.extractedSignatureAlgorithm));
|
|
values.add(signItem.tsaIndex == -1
|
|
? ""
|
|
: null2Default(signItem.tsaDigestAlgorithm,
|
|
signItem.extractedTsaDigestAlgorithm));
|
|
values.add(signItem.tsaIndex == -1 ? "" : signItem.tsaIndex + "");
|
|
values.add(HtmlHelper.anchorLink(
|
|
PhaseOutputStream.fileName(PhaseOutputStream.Phase.SIGNING),
|
|
signingId(signItem),
|
|
signItem.status.toString()));
|
|
values.add(verifyItem.jdkInfo.version);
|
|
values.add(HtmlHelper.anchorLink(
|
|
PhaseOutputStream.fileName(PhaseOutputStream.Phase.VERIFYING),
|
|
verifyingId(signItem, verifyItem, false),
|
|
verifyItem.status.toString()));
|
|
if (DELAY_VERIFY) {
|
|
values.add(HtmlHelper.anchorLink(
|
|
PhaseOutputStream.fileName(
|
|
PhaseOutputStream.Phase.DELAY_VERIFYING),
|
|
verifyingId(signItem, verifyItem, true),
|
|
verifyItem.delayStatus.toString()));
|
|
}
|
|
values.add(isFailed(signItem, verifyItem) ? "X" : "");
|
|
return HtmlHelper.htmlRow(values.toArray(new String[values.size()]));
|
|
}
|
|
|
|
private static boolean isFailed(SignItem signItem,
|
|
VerifyItem verifyItem) {
|
|
return signItem.status == Status.ERROR
|
|
|| verifyItem.status == Status.ERROR
|
|
|| verifyItem.delayStatus == Status.ERROR;
|
|
}
|
|
|
|
// If a value is null, then displays the default value or N/A.
|
|
private static String null2Default(String value, String defaultValue) {
|
|
return value == null
|
|
? DEFAULT + "(" + (defaultValue == null
|
|
? "N/A"
|
|
: defaultValue) + ")"
|
|
: value;
|
|
}
|
|
}
|